LCOV - code coverage report
Current view: top level - src/backend/libpq - auth-scram.c (source / functions) Hit Total Coverage
Test: PostgreSQL 13devel Lines: 280 357 78.4 %
Date: 2019-09-19 02:07:14 Functions: 17 19 89.5 %
Legend: Lines: hit not hit

          Line data    Source code
       1             : /*-------------------------------------------------------------------------
       2             :  *
       3             :  * auth-scram.c
       4             :  *    Server-side implementation of the SASL SCRAM-SHA-256 mechanism.
       5             :  *
       6             :  * See the following RFCs for more details:
       7             :  * - RFC 5802: https://tools.ietf.org/html/rfc5802
       8             :  * - RFC 5803: https://tools.ietf.org/html/rfc5803
       9             :  * - RFC 7677: https://tools.ietf.org/html/rfc7677
      10             :  *
      11             :  * Here are some differences:
      12             :  *
      13             :  * - Username from the authentication exchange is not used. The client
      14             :  *   should send an empty string as the username.
      15             :  *
      16             :  * - If the password isn't valid UTF-8, or contains characters prohibited
      17             :  *   by the SASLprep profile, we skip the SASLprep pre-processing and use
      18             :  *   the raw bytes in calculating the hash.
      19             :  *
      20             :  * - If channel binding is used, the channel binding type is always
      21             :  *   "tls-server-end-point".  The spec says the default is "tls-unique"
      22             :  *   (RFC 5802, section 6.1. Default Channel Binding), but there are some
      23             :  *   problems with that.  Firstly, not all SSL libraries provide an API to
      24             :  *   get the TLS Finished message, required to use "tls-unique".  Secondly,
      25             :  *   "tls-unique" is not specified for TLS v1.3, and as of this writing,
      26             :  *   it's not clear if there will be a replacement.  We could support both
      27             :  *   "tls-server-end-point" and "tls-unique", but for our use case,
      28             :  *   "tls-unique" doesn't really have any advantages.  The main advantage
      29             :  *   of "tls-unique" would be that it works even if the server doesn't
      30             :  *   have a certificate, but PostgreSQL requires a server certificate
      31             :  *   whenever SSL is used, anyway.
      32             :  *
      33             :  *
      34             :  * The password stored in pg_authid consists of the iteration count, salt,
      35             :  * StoredKey and ServerKey.
      36             :  *
      37             :  * SASLprep usage
      38             :  * --------------
      39             :  *
      40             :  * One notable difference to the SCRAM specification is that while the
      41             :  * specification dictates that the password is in UTF-8, and prohibits
      42             :  * certain characters, we are more lenient.  If the password isn't a valid
      43             :  * UTF-8 string, or contains prohibited characters, the raw bytes are used
      44             :  * to calculate the hash instead, without SASLprep processing.  This is
      45             :  * because PostgreSQL supports other encodings too, and the encoding being
      46             :  * used during authentication is undefined (client_encoding isn't set until
      47             :  * after authentication).  In effect, we try to interpret the password as
      48             :  * UTF-8 and apply SASLprep processing, but if it looks invalid, we assume
      49             :  * that it's in some other encoding.
      50             :  *
      51             :  * In the worst case, we misinterpret a password that's in a different
      52             :  * encoding as being Unicode, because it happens to consists entirely of
      53             :  * valid UTF-8 bytes, and we apply Unicode normalization to it.  As long
      54             :  * as we do that consistently, that will not lead to failed logins.
      55             :  * Fortunately, the UTF-8 byte sequences that are ignored by SASLprep
      56             :  * don't correspond to any commonly used characters in any of the other
      57             :  * supported encodings, so it should not lead to any significant loss in
      58             :  * entropy, even if the normalization is incorrectly applied to a
      59             :  * non-UTF-8 password.
      60             :  *
      61             :  * Error handling
      62             :  * --------------
      63             :  *
      64             :  * Don't reveal user information to an unauthenticated client.  We don't
      65             :  * want an attacker to be able to probe whether a particular username is
      66             :  * valid.  In SCRAM, the server has to read the salt and iteration count
      67             :  * from the user's password verifier, and send it to the client.  To avoid
      68             :  * revealing whether a user exists, when the client tries to authenticate
      69             :  * with a username that doesn't exist, or doesn't have a valid SCRAM
      70             :  * verifier in pg_authid, we create a fake salt and iteration count
      71             :  * on-the-fly, and proceed with the authentication with that.  In the end,
      72             :  * we'll reject the attempt, as if an incorrect password was given.  When
      73             :  * we are performing a "mock" authentication, the 'doomed' flag in
      74             :  * scram_state is set.
      75             :  *
      76             :  * In the error messages, avoid printing strings from the client, unless
      77             :  * you check that they are pure ASCII.  We don't want an unauthenticated
      78             :  * attacker to be able to spam the logs with characters that are not valid
      79             :  * to the encoding being used, whatever that is.  We cannot avoid that in
      80             :  * general, after logging in, but let's do what we can here.
      81             :  *
      82             :  *
      83             :  * Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
      84             :  * Portions Copyright (c) 1994, Regents of the University of California
      85             :  *
      86             :  * src/backend/libpq/auth-scram.c
      87             :  *
      88             :  *-------------------------------------------------------------------------
      89             :  */
      90             : #include "postgres.h"
      91             : 
      92             : #include <unistd.h>
      93             : 
      94             : #include "access/xlog.h"
      95             : #include "catalog/pg_authid.h"
      96             : #include "catalog/pg_control.h"
      97             : #include "common/base64.h"
      98             : #include "common/saslprep.h"
      99             : #include "common/scram-common.h"
     100             : #include "common/sha2.h"
     101             : #include "libpq/auth.h"
     102             : #include "libpq/crypt.h"
     103             : #include "libpq/scram.h"
     104             : #include "miscadmin.h"
     105             : #include "utils/builtins.h"
     106             : #include "utils/timestamp.h"
     107             : 
     108             : /*
     109             :  * Status data for a SCRAM authentication exchange.  This should be kept
     110             :  * internal to this file.
     111             :  */
     112             : typedef enum
     113             : {
     114             :     SCRAM_AUTH_INIT,
     115             :     SCRAM_AUTH_SALT_SENT,
     116             :     SCRAM_AUTH_FINISHED
     117             : } scram_state_enum;
     118             : 
     119             : typedef struct
     120             : {
     121             :     scram_state_enum state;
     122             : 
     123             :     const char *username;       /* username from startup packet */
     124             : 
     125             :     Port       *port;
     126             :     bool        channel_binding_in_use;
     127             : 
     128             :     int         iterations;
     129             :     char       *salt;           /* base64-encoded */
     130             :     uint8       StoredKey[SCRAM_KEY_LEN];
     131             :     uint8       ServerKey[SCRAM_KEY_LEN];
     132             : 
     133             :     /* Fields of the first message from client */
     134             :     char        cbind_flag;
     135             :     char       *client_first_message_bare;
     136             :     char       *client_username;
     137             :     char       *client_nonce;
     138             : 
     139             :     /* Fields from the last message from client */
     140             :     char       *client_final_message_without_proof;
     141             :     char       *client_final_nonce;
     142             :     char        ClientProof[SCRAM_KEY_LEN];
     143             : 
     144             :     /* Fields generated in the server */
     145             :     char       *server_first_message;
     146             :     char       *server_nonce;
     147             : 
     148             :     /*
     149             :      * If something goes wrong during the authentication, or we are performing
     150             :      * a "mock" authentication (see comments at top of file), the 'doomed'
     151             :      * flag is set.  A reason for the failure, for the server log, is put in
     152             :      * 'logdetail'.
     153             :      */
     154             :     bool        doomed;
     155             :     char       *logdetail;
     156             : } scram_state;
     157             : 
     158             : static void read_client_first_message(scram_state *state, const char *input);
     159             : static void read_client_final_message(scram_state *state, const char *input);
     160             : static char *build_server_first_message(scram_state *state);
     161             : static char *build_server_final_message(scram_state *state);
     162             : static bool verify_client_proof(scram_state *state);
     163             : static bool verify_final_nonce(scram_state *state);
     164             : static void mock_scram_verifier(const char *username, int *iterations,
     165             :                                 char **salt, uint8 *stored_key, uint8 *server_key);
     166             : static bool is_scram_printable(char *p);
     167             : static char *sanitize_char(char c);
     168             : static char *sanitize_str(const char *s);
     169             : static char *scram_mock_salt(const char *username);
     170             : 
     171             : /*
     172             :  * pg_be_scram_get_mechanisms
     173             :  *
     174             :  * Get a list of SASL mechanisms that this module supports.
     175             :  *
     176             :  * For the convenience of building the FE/BE packet that lists the
     177             :  * mechanisms, the names are appended to the given StringInfo buffer,
     178             :  * separated by '\0' bytes.
     179             :  */
     180             : void
     181          30 : pg_be_scram_get_mechanisms(Port *port, StringInfo buf)
     182             : {
     183             :     /*
     184             :      * Advertise the mechanisms in decreasing order of importance.  So the
     185             :      * channel-binding variants go first, if they are supported.  Channel
     186             :      * binding is only supported with SSL, and only if the SSL implementation
     187             :      * has a function to get the certificate's hash.
     188             :      */
     189             : #ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
     190          30 :     if (port->ssl_in_use)
     191             :     {
     192           2 :         appendStringInfoString(buf, SCRAM_SHA_256_PLUS_NAME);
     193           2 :         appendStringInfoChar(buf, '\0');
     194             :     }
     195             : #endif
     196          30 :     appendStringInfoString(buf, SCRAM_SHA_256_NAME);
     197          30 :     appendStringInfoChar(buf, '\0');
     198          30 : }
     199             : 
     200             : /*
     201             :  * pg_be_scram_init
     202             :  *
     203             :  * Initialize a new SCRAM authentication exchange status tracker.  This
     204             :  * needs to be called before doing any exchange.  It will be filled later
     205             :  * after the beginning of the exchange with verifier data.
     206             :  *
     207             :  * 'selected_mech' identifies the SASL mechanism that the client selected.
     208             :  * It should be one of the mechanisms that we support, as returned by
     209             :  * pg_be_scram_get_mechanisms().
     210             :  *
     211             :  * 'shadow_pass' is the role's password verifier, from pg_authid.rolpassword.
     212             :  * The username was provided by the client in the startup message, and is
     213             :  * available in port->user_name.  If 'shadow_pass' is NULL, we still perform
     214             :  * an authentication exchange, but it will fail, as if an incorrect password
     215             :  * was given.
     216             :  */
     217             : void *
     218          30 : pg_be_scram_init(Port *port,
     219             :                  const char *selected_mech,
     220             :                  const char *shadow_pass)
     221             : {
     222             :     scram_state *state;
     223             :     bool        got_verifier;
     224             : 
     225          30 :     state = (scram_state *) palloc0(sizeof(scram_state));
     226          30 :     state->port = port;
     227          30 :     state->state = SCRAM_AUTH_INIT;
     228             : 
     229             :     /*
     230             :      * Parse the selected mechanism.
     231             :      *
     232             :      * Note that if we don't support channel binding, either because the SSL
     233             :      * implementation doesn't support it or we're not using SSL at all, we
     234             :      * would not have advertised the PLUS variant in the first place.  If the
     235             :      * client nevertheless tries to select it, it's a protocol violation like
     236             :      * selecting any other SASL mechanism we don't support.
     237             :      */
     238             : #ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
     239          30 :     if (strcmp(selected_mech, SCRAM_SHA_256_PLUS_NAME) == 0 && port->ssl_in_use)
     240           2 :         state->channel_binding_in_use = true;
     241             :     else
     242             : #endif
     243          28 :     if (strcmp(selected_mech, SCRAM_SHA_256_NAME) == 0)
     244          28 :         state->channel_binding_in_use = false;
     245             :     else
     246           0 :         ereport(ERROR,
     247             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     248             :                  errmsg("client selected an invalid SASL authentication mechanism")));
     249             : 
     250             :     /*
     251             :      * Parse the stored password verifier.
     252             :      */
     253          30 :     if (shadow_pass)
     254             :     {
     255          30 :         int         password_type = get_password_type(shadow_pass);
     256             : 
     257          30 :         if (password_type == PASSWORD_TYPE_SCRAM_SHA_256)
     258             :         {
     259          28 :             if (parse_scram_verifier(shadow_pass, &state->iterations, &state->salt,
     260          28 :                                      state->StoredKey, state->ServerKey))
     261          28 :                 got_verifier = true;
     262             :             else
     263             :             {
     264             :                 /*
     265             :                  * The password looked like a SCRAM verifier, but could not be
     266             :                  * parsed.
     267             :                  */
     268           0 :                 ereport(LOG,
     269             :                         (errmsg("invalid SCRAM verifier for user \"%s\"",
     270             :                                 state->port->user_name)));
     271           0 :                 got_verifier = false;
     272             :             }
     273             :         }
     274             :         else
     275             :         {
     276             :             /*
     277             :              * The user doesn't have SCRAM verifier. (You cannot do SCRAM
     278             :              * authentication with an MD5 hash.)
     279             :              */
     280           2 :             state->logdetail = psprintf(_("User \"%s\" does not have a valid SCRAM verifier."),
     281           2 :                                         state->port->user_name);
     282           2 :             got_verifier = false;
     283             :         }
     284             :     }
     285             :     else
     286             :     {
     287             :         /*
     288             :          * The caller requested us to perform a dummy authentication.  This is
     289             :          * considered normal, since the caller requested it, so don't set log
     290             :          * detail.
     291             :          */
     292           0 :         got_verifier = false;
     293             :     }
     294             : 
     295             :     /*
     296             :      * If the user did not have a valid SCRAM verifier, we still go through
     297             :      * the motions with a mock one, and fail as if the client supplied an
     298             :      * incorrect password.  This is to avoid revealing information to an
     299             :      * attacker.
     300             :      */
     301          30 :     if (!got_verifier)
     302             :     {
     303           2 :         mock_scram_verifier(state->port->user_name, &state->iterations,
     304           2 :                             &state->salt, state->StoredKey, state->ServerKey);
     305           2 :         state->doomed = true;
     306             :     }
     307             : 
     308          30 :     return state;
     309             : }
     310             : 
     311             : /*
     312             :  * Continue a SCRAM authentication exchange.
     313             :  *
     314             :  * 'input' is the SCRAM payload sent by the client.  On the first call,
     315             :  * 'input' contains the "Initial Client Response" that the client sent as
     316             :  * part of the SASLInitialResponse message, or NULL if no Initial Client
     317             :  * Response was given.  (The SASL specification distinguishes between an
     318             :  * empty response and non-existing one.)  On subsequent calls, 'input'
     319             :  * cannot be NULL.  For convenience in this function, the caller must
     320             :  * ensure that there is a null terminator at input[inputlen].
     321             :  *
     322             :  * The next message to send to client is saved in 'output', for a length
     323             :  * of 'outputlen'.  In the case of an error, optionally store a palloc'd
     324             :  * string at *logdetail that will be sent to the postmaster log (but not
     325             :  * the client).
     326             :  */
     327             : int
     328          60 : pg_be_scram_exchange(void *opaq, const char *input, int inputlen,
     329             :                      char **output, int *outputlen, char **logdetail)
     330             : {
     331          60 :     scram_state *state = (scram_state *) opaq;
     332             :     int         result;
     333             : 
     334          60 :     *output = NULL;
     335             : 
     336             :     /*
     337             :      * If the client didn't include an "Initial Client Response" in the
     338             :      * SASLInitialResponse message, send an empty challenge, to which the
     339             :      * client will respond with the same data that usually comes in the
     340             :      * Initial Client Response.
     341             :      */
     342          60 :     if (input == NULL)
     343             :     {
     344             :         Assert(state->state == SCRAM_AUTH_INIT);
     345             : 
     346           0 :         *output = pstrdup("");
     347           0 :         *outputlen = 0;
     348           0 :         return SASL_EXCHANGE_CONTINUE;
     349             :     }
     350             : 
     351             :     /*
     352             :      * Check that the input length agrees with the string length of the input.
     353             :      * We can ignore inputlen after this.
     354             :      */
     355          60 :     if (inputlen == 0)
     356           0 :         ereport(ERROR,
     357             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     358             :                  errmsg("malformed SCRAM message"),
     359             :                  errdetail("The message is empty.")));
     360          60 :     if (inputlen != strlen(input))
     361           0 :         ereport(ERROR,
     362             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     363             :                  errmsg("malformed SCRAM message"),
     364             :                  errdetail("Message length does not match input length.")));
     365             : 
     366          60 :     switch (state->state)
     367             :     {
     368             :         case SCRAM_AUTH_INIT:
     369             : 
     370             :             /*
     371             :              * Initialization phase.  Receive the first message from client
     372             :              * and be sure that it parsed correctly.  Then send the challenge
     373             :              * to the client.
     374             :              */
     375          30 :             read_client_first_message(state, input);
     376             : 
     377             :             /* prepare message to send challenge */
     378          30 :             *output = build_server_first_message(state);
     379             : 
     380          30 :             state->state = SCRAM_AUTH_SALT_SENT;
     381          30 :             result = SASL_EXCHANGE_CONTINUE;
     382          30 :             break;
     383             : 
     384             :         case SCRAM_AUTH_SALT_SENT:
     385             : 
     386             :             /*
     387             :              * Final phase for the server.  Receive the response to the
     388             :              * challenge previously sent, verify, and let the client know that
     389             :              * everything went well (or not).
     390             :              */
     391          30 :             read_client_final_message(state, input);
     392             : 
     393          30 :             if (!verify_final_nonce(state))
     394           0 :                 ereport(ERROR,
     395             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
     396             :                          errmsg("invalid SCRAM response"),
     397             :                          errdetail("Nonce does not match.")));
     398             : 
     399             :             /*
     400             :              * Now check the final nonce and the client proof.
     401             :              *
     402             :              * If we performed a "mock" authentication that we knew would fail
     403             :              * from the get go, this is where we fail.
     404             :              *
     405             :              * The SCRAM specification includes an error code,
     406             :              * "invalid-proof", for authentication failure, but it also allows
     407             :              * erroring out in an application-specific way.  We choose to do
     408             :              * the latter, so that the error message for invalid password is
     409             :              * the same for all authentication methods.  The caller will call
     410             :              * ereport(), when we return SASL_EXCHANGE_FAILURE with no output.
     411             :              *
     412             :              * NB: the order of these checks is intentional.  We calculate the
     413             :              * client proof even in a mock authentication, even though it's
     414             :              * bound to fail, to thwart timing attacks to determine if a role
     415             :              * with the given name exists or not.
     416             :              */
     417          30 :             if (!verify_client_proof(state) || state->doomed)
     418             :             {
     419           8 :                 result = SASL_EXCHANGE_FAILURE;
     420           8 :                 break;
     421             :             }
     422             : 
     423             :             /* Build final message for client */
     424          22 :             *output = build_server_final_message(state);
     425             : 
     426             :             /* Success! */
     427          22 :             result = SASL_EXCHANGE_SUCCESS;
     428          22 :             state->state = SCRAM_AUTH_FINISHED;
     429          22 :             break;
     430             : 
     431             :         default:
     432           0 :             elog(ERROR, "invalid SCRAM exchange state");
     433             :             result = SASL_EXCHANGE_FAILURE;
     434             :     }
     435             : 
     436          60 :     if (result == SASL_EXCHANGE_FAILURE && state->logdetail && logdetail)
     437           2 :         *logdetail = state->logdetail;
     438             : 
     439          60 :     if (*output)
     440          52 :         *outputlen = strlen(*output);
     441             : 
     442          60 :     return result;
     443             : }
     444             : 
     445             : /*
     446             :  * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
     447             :  *
     448             :  * The result is palloc'd, so caller is responsible for freeing it.
     449             :  */
     450             : char *
     451          44 : pg_be_scram_build_verifier(const char *password)
     452             : {
     453             :     char       *prep_password;
     454             :     pg_saslprep_rc rc;
     455             :     char        saltbuf[SCRAM_DEFAULT_SALT_LEN];
     456             :     char       *result;
     457             : 
     458             :     /*
     459             :      * Normalize the password with SASLprep.  If that doesn't work, because
     460             :      * the password isn't valid UTF-8 or contains prohibited characters, just
     461             :      * proceed with the original password.  (See comments at top of file.)
     462             :      */
     463          44 :     rc = pg_saslprep(password, &prep_password);
     464          44 :     if (rc == SASLPREP_SUCCESS)
     465          42 :         password = (const char *) prep_password;
     466             : 
     467             :     /* Generate random salt */
     468          44 :     if (!pg_strong_random(saltbuf, SCRAM_DEFAULT_SALT_LEN))
     469           0 :         ereport(ERROR,
     470             :                 (errcode(ERRCODE_INTERNAL_ERROR),
     471             :                  errmsg("could not generate random salt")));
     472             : 
     473          44 :     result = scram_build_verifier(saltbuf, SCRAM_DEFAULT_SALT_LEN,
     474             :                                   SCRAM_DEFAULT_ITERATIONS, password);
     475             : 
     476          44 :     if (prep_password)
     477          42 :         pfree(prep_password);
     478             : 
     479          44 :     return result;
     480             : }
     481             : 
     482             : /*
     483             :  * Verify a plaintext password against a SCRAM verifier.  This is used when
     484             :  * performing plaintext password authentication for a user that has a SCRAM
     485             :  * verifier stored in pg_authid.
     486             :  */
     487             : bool
     488          14 : scram_verify_plain_password(const char *username, const char *password,
     489             :                             const char *verifier)
     490             : {
     491             :     char       *encoded_salt;
     492             :     char       *salt;
     493             :     int         saltlen;
     494             :     int         iterations;
     495             :     uint8       salted_password[SCRAM_KEY_LEN];
     496             :     uint8       stored_key[SCRAM_KEY_LEN];
     497             :     uint8       server_key[SCRAM_KEY_LEN];
     498             :     uint8       computed_key[SCRAM_KEY_LEN];
     499             :     char       *prep_password;
     500             :     pg_saslprep_rc rc;
     501             : 
     502          14 :     if (!parse_scram_verifier(verifier, &iterations, &encoded_salt,
     503             :                               stored_key, server_key))
     504             :     {
     505             :         /*
     506             :          * The password looked like a SCRAM verifier, but could not be parsed.
     507             :          */
     508           0 :         ereport(LOG,
     509             :                 (errmsg("invalid SCRAM verifier for user \"%s\"", username)));
     510           0 :         return false;
     511             :     }
     512             : 
     513          14 :     saltlen = pg_b64_dec_len(strlen(encoded_salt));
     514          14 :     salt = palloc(saltlen);
     515          14 :     saltlen = pg_b64_decode(encoded_salt, strlen(encoded_salt), salt,
     516             :                             saltlen);
     517          14 :     if (saltlen < 0)
     518             :     {
     519           0 :         ereport(LOG,
     520             :                 (errmsg("invalid SCRAM verifier for user \"%s\"", username)));
     521           0 :         return false;
     522             :     }
     523             : 
     524             :     /* Normalize the password */
     525          14 :     rc = pg_saslprep(password, &prep_password);
     526          14 :     if (rc == SASLPREP_SUCCESS)
     527          14 :         password = prep_password;
     528             : 
     529             :     /* Compute Server Key based on the user-supplied plaintext password */
     530          14 :     scram_SaltedPassword(password, salt, saltlen, iterations, salted_password);
     531          14 :     scram_ServerKey(salted_password, computed_key);
     532             : 
     533          14 :     if (prep_password)
     534          14 :         pfree(prep_password);
     535             : 
     536             :     /*
     537             :      * Compare the verifier's Server Key with the one computed from the
     538             :      * user-supplied password.
     539             :      */
     540          14 :     return memcmp(computed_key, server_key, SCRAM_KEY_LEN) == 0;
     541             : }
     542             : 
     543             : 
     544             : /*
     545             :  * Parse and validate format of given SCRAM verifier.
     546             :  *
     547             :  * On success, the iteration count, salt, stored key, and server key are
     548             :  * extracted from the verifier, and returned to the caller.  For 'stored_key'
     549             :  * and 'server_key', the caller must pass pre-allocated buffers of size
     550             :  * SCRAM_KEY_LEN.  Salt is returned as a base64-encoded, null-terminated
     551             :  * string.  The buffer for the salt is palloc'd by this function.
     552             :  *
     553             :  * Returns true if the SCRAM verifier has been parsed, and false otherwise.
     554             :  */
     555             : bool
     556         268 : parse_scram_verifier(const char *verifier, int *iterations, char **salt,
     557             :                      uint8 *stored_key, uint8 *server_key)
     558             : {
     559             :     char       *v;
     560             :     char       *p;
     561             :     char       *scheme_str;
     562             :     char       *salt_str;
     563             :     char       *iterations_str;
     564             :     char       *storedkey_str;
     565             :     char       *serverkey_str;
     566             :     int         decoded_len;
     567             :     char       *decoded_salt_buf;
     568             :     char       *decoded_stored_buf;
     569             :     char       *decoded_server_buf;
     570             : 
     571             :     /*
     572             :      * The verifier is of form:
     573             :      *
     574             :      * SCRAM-SHA-256$<iterations>:<salt>$<storedkey>:<serverkey>
     575             :      */
     576         268 :     v = pstrdup(verifier);
     577         268 :     if ((scheme_str = strtok(v, "$")) == NULL)
     578           0 :         goto invalid_verifier;
     579         268 :     if ((iterations_str = strtok(NULL, ":")) == NULL)
     580         124 :         goto invalid_verifier;
     581         144 :     if ((salt_str = strtok(NULL, "$")) == NULL)
     582           8 :         goto invalid_verifier;
     583         136 :     if ((storedkey_str = strtok(NULL, ":")) == NULL)
     584           0 :         goto invalid_verifier;
     585         136 :     if ((serverkey_str = strtok(NULL, "")) == NULL)
     586           0 :         goto invalid_verifier;
     587             : 
     588             :     /* Parse the fields */
     589         136 :     if (strcmp(scheme_str, "SCRAM-SHA-256") != 0)
     590           0 :         goto invalid_verifier;
     591             : 
     592         136 :     errno = 0;
     593         136 :     *iterations = strtol(iterations_str, &p, 10);
     594         136 :     if (*p || errno != 0)
     595             :         goto invalid_verifier;
     596             : 
     597             :     /*
     598             :      * Verify that the salt is in Base64-encoded format, by decoding it,
     599             :      * although we return the encoded version to the caller.
     600             :      */
     601         136 :     decoded_len = pg_b64_dec_len(strlen(salt_str));
     602         136 :     decoded_salt_buf = palloc(decoded_len);
     603         136 :     decoded_len = pg_b64_decode(salt_str, strlen(salt_str),
     604             :                                 decoded_salt_buf, decoded_len);
     605         136 :     if (decoded_len < 0)
     606           0 :         goto invalid_verifier;
     607         136 :     *salt = pstrdup(salt_str);
     608             : 
     609             :     /*
     610             :      * Decode StoredKey and ServerKey.
     611             :      */
     612         136 :     decoded_len = pg_b64_dec_len(strlen(storedkey_str));
     613         136 :     decoded_stored_buf = palloc(decoded_len);
     614         136 :     decoded_len = pg_b64_decode(storedkey_str, strlen(storedkey_str),
     615             :                                 decoded_stored_buf, decoded_len);
     616         136 :     if (decoded_len != SCRAM_KEY_LEN)
     617           8 :         goto invalid_verifier;
     618         128 :     memcpy(stored_key, decoded_stored_buf, SCRAM_KEY_LEN);
     619             : 
     620         128 :     decoded_len = pg_b64_dec_len(strlen(serverkey_str));
     621         128 :     decoded_server_buf = palloc(decoded_len);
     622         128 :     decoded_len = pg_b64_decode(serverkey_str, strlen(serverkey_str),
     623             :                                 decoded_server_buf, decoded_len);
     624         128 :     if (decoded_len != SCRAM_KEY_LEN)
     625           8 :         goto invalid_verifier;
     626         120 :     memcpy(server_key, decoded_server_buf, SCRAM_KEY_LEN);
     627             : 
     628         120 :     return true;
     629             : 
     630             : invalid_verifier:
     631         148 :     *salt = NULL;
     632         148 :     return false;
     633             : }
     634             : 
     635             : /*
     636             :  * Generate plausible SCRAM verifier parameters for mock authentication.
     637             :  *
     638             :  * In a normal authentication, these are extracted from the verifier
     639             :  * stored in the server.  This function generates values that look
     640             :  * realistic, for when there is no stored verifier.
     641             :  *
     642             :  * Like in parse_scram_verifier(), for 'stored_key' and 'server_key', the
     643             :  * caller must pass pre-allocated buffers of size SCRAM_KEY_LEN, and
     644             :  * the buffer for the salt is palloc'd by this function.
     645             :  */
     646             : static void
     647           2 : mock_scram_verifier(const char *username, int *iterations, char **salt,
     648             :                     uint8 *stored_key, uint8 *server_key)
     649             : {
     650             :     char       *raw_salt;
     651             :     char       *encoded_salt;
     652             :     int         encoded_len;
     653             : 
     654             :     /* Generate deterministic salt */
     655           2 :     raw_salt = scram_mock_salt(username);
     656             : 
     657           2 :     encoded_len = pg_b64_enc_len(SCRAM_DEFAULT_SALT_LEN);
     658             :     /* don't forget the zero-terminator */
     659           2 :     encoded_salt = (char *) palloc(encoded_len + 1);
     660           2 :     encoded_len = pg_b64_encode(raw_salt, SCRAM_DEFAULT_SALT_LEN, encoded_salt,
     661             :                                 encoded_len);
     662             : 
     663             :     /*
     664             :      * Note that we cannot reveal any information to an attacker here so the
     665             :      * error message needs to remain generic.  This should never fail anyway
     666             :      * as the salt generated for mock authentication uses the cluster's nonce
     667             :      * value.
     668             :      */
     669           2 :     if (encoded_len < 0)
     670           0 :         elog(ERROR, "could not encode salt");
     671           2 :     encoded_salt[encoded_len] = '\0';
     672             : 
     673           2 :     *salt = encoded_salt;
     674           2 :     *iterations = SCRAM_DEFAULT_ITERATIONS;
     675             : 
     676             :     /* StoredKey and ServerKey are not used in a doomed authentication */
     677           2 :     memset(stored_key, 0, SCRAM_KEY_LEN);
     678           2 :     memset(server_key, 0, SCRAM_KEY_LEN);
     679           2 : }
     680             : 
     681             : /*
     682             :  * Read the value in a given SCRAM exchange message for given attribute.
     683             :  */
     684             : static char *
     685         122 : read_attr_value(char **input, char attr)
     686             : {
     687         122 :     char       *begin = *input;
     688             :     char       *end;
     689             : 
     690         122 :     if (*begin != attr)
     691           0 :         ereport(ERROR,
     692             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     693             :                  errmsg("malformed SCRAM message"),
     694             :                  errdetail("Expected attribute \"%c\" but found \"%s\".",
     695             :                            attr, sanitize_char(*begin))));
     696         122 :     begin++;
     697             : 
     698         122 :     if (*begin != '=')
     699           0 :         ereport(ERROR,
     700             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     701             :                  errmsg("malformed SCRAM message"),
     702             :                  errdetail("Expected character \"=\" for attribute \"%c\".", attr)));
     703         122 :     begin++;
     704             : 
     705         122 :     end = begin;
     706        2708 :     while (*end && *end != ',')
     707        2464 :         end++;
     708             : 
     709         122 :     if (*end)
     710             :     {
     711          92 :         *end = '\0';
     712          92 :         *input = end + 1;
     713             :     }
     714             :     else
     715          30 :         *input = end;
     716             : 
     717         122 :     return begin;
     718             : }
     719             : 
     720             : static bool
     721          30 : is_scram_printable(char *p)
     722             : {
     723             :     /*------
     724             :      * Printable characters, as defined by SCRAM spec: (RFC 5802)
     725             :      *
     726             :      *  printable       = %x21-2B / %x2D-7E
     727             :      *                    ;; Printable ASCII except ",".
     728             :      *                    ;; Note that any "printable" is also
     729             :      *                    ;; a valid "value".
     730             :      *------
     731             :      */
     732         750 :     for (; *p; p++)
     733             :     {
     734         720 :         if (*p < 0x21 || *p > 0x7E || *p == 0x2C /* comma */ )
     735           0 :             return false;
     736             :     }
     737          30 :     return true;
     738             : }
     739             : 
     740             : /*
     741             :  * Convert an arbitrary byte to printable form.  For error messages.
     742             :  *
     743             :  * If it's a printable ASCII character, print it as a single character.
     744             :  * otherwise, print it in hex.
     745             :  *
     746             :  * The returned pointer points to a static buffer.
     747             :  */
     748             : static char *
     749           0 : sanitize_char(char c)
     750             : {
     751             :     static char buf[5];
     752             : 
     753           0 :     if (c >= 0x21 && c <= 0x7E)
     754           0 :         snprintf(buf, sizeof(buf), "'%c'", c);
     755             :     else
     756           0 :         snprintf(buf, sizeof(buf), "0x%02x", (unsigned char) c);
     757           0 :     return buf;
     758             : }
     759             : 
     760             : /*
     761             :  * Convert an arbitrary string to printable form, for error messages.
     762             :  *
     763             :  * Anything that's not a printable ASCII character is replaced with
     764             :  * '?', and the string is truncated at 30 characters.
     765             :  *
     766             :  * The returned pointer points to a static buffer.
     767             :  */
     768             : static char *
     769           0 : sanitize_str(const char *s)
     770             : {
     771             :     static char buf[30 + 1];
     772             :     int         i;
     773             : 
     774           0 :     for (i = 0; i < sizeof(buf) - 1; i++)
     775             :     {
     776           0 :         char        c = s[i];
     777             : 
     778           0 :         if (c == '\0')
     779           0 :             break;
     780             : 
     781           0 :         if (c >= 0x21 && c <= 0x7E)
     782           0 :             buf[i] = c;
     783             :         else
     784           0 :             buf[i] = '?';
     785             :     }
     786           0 :     buf[i] = '\0';
     787           0 :     return buf;
     788             : }
     789             : 
     790             : /*
     791             :  * Read the next attribute and value in a SCRAM exchange message.
     792             :  *
     793             :  * The attribute character is set in *attr_p, the attribute value is the
     794             :  * return value.
     795             :  */
     796             : static char *
     797          30 : read_any_attr(char **input, char *attr_p)
     798             : {
     799          30 :     char       *begin = *input;
     800             :     char       *end;
     801          30 :     char        attr = *begin;
     802             : 
     803          30 :     if (attr == '\0')
     804           0 :         ereport(ERROR,
     805             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     806             :                  errmsg("malformed SCRAM message"),
     807             :                  errdetail("Attribute expected, but found end of string.")));
     808             : 
     809             :     /*------
     810             :      * attr-val        = ALPHA "=" value
     811             :      *                   ;; Generic syntax of any attribute sent
     812             :      *                   ;; by server or client
     813             :      *------
     814             :      */
     815          30 :     if (!((attr >= 'A' && attr <= 'Z') ||
     816          30 :           (attr >= 'a' && attr <= 'z')))
     817           0 :         ereport(ERROR,
     818             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     819             :                  errmsg("malformed SCRAM message"),
     820             :                  errdetail("Attribute expected, but found invalid character \"%s\".",
     821             :                            sanitize_char(attr))));
     822          30 :     if (attr_p)
     823          30 :         *attr_p = attr;
     824          30 :     begin++;
     825             : 
     826          30 :     if (*begin != '=')
     827           0 :         ereport(ERROR,
     828             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     829             :                  errmsg("malformed SCRAM message"),
     830             :                  errdetail("Expected character \"=\" for attribute \"%c\".", attr)));
     831          30 :     begin++;
     832             : 
     833          30 :     end = begin;
     834        1380 :     while (*end && *end != ',')
     835        1320 :         end++;
     836             : 
     837          30 :     if (*end)
     838             :     {
     839           0 :         *end = '\0';
     840           0 :         *input = end + 1;
     841             :     }
     842             :     else
     843          30 :         *input = end;
     844             : 
     845          30 :     return begin;
     846             : }
     847             : 
     848             : /*
     849             :  * Read and parse the first message from client in the context of a SCRAM
     850             :  * authentication exchange message.
     851             :  *
     852             :  * At this stage, any errors will be reported directly with ereport(ERROR).
     853             :  */
     854             : static void
     855          30 : read_client_first_message(scram_state *state, const char *input)
     856             : {
     857          30 :     char       *p = pstrdup(input);
     858             :     char       *channel_binding_type;
     859             : 
     860             : 
     861             :     /*------
     862             :      * The syntax for the client-first-message is: (RFC 5802)
     863             :      *
     864             :      * saslname        = 1*(value-safe-char / "=2C" / "=3D")
     865             :      *                   ;; Conforms to <value>.
     866             :      *
     867             :      * authzid         = "a=" saslname
     868             :      *                   ;; Protocol specific.
     869             :      *
     870             :      * cb-name         = 1*(ALPHA / DIGIT / "." / "-")
     871             :      *                    ;; See RFC 5056, Section 7.
     872             :      *                    ;; E.g., "tls-server-end-point" or
     873             :      *                    ;; "tls-unique".
     874             :      *
     875             :      * gs2-cbind-flag  = ("p=" cb-name) / "n" / "y"
     876             :      *                   ;; "n" -> client doesn't support channel binding.
     877             :      *                   ;; "y" -> client does support channel binding
     878             :      *                   ;;        but thinks the server does not.
     879             :      *                   ;; "p" -> client requires channel binding.
     880             :      *                   ;; The selected channel binding follows "p=".
     881             :      *
     882             :      * gs2-header      = gs2-cbind-flag "," [ authzid ] ","
     883             :      *                   ;; GS2 header for SCRAM
     884             :      *                   ;; (the actual GS2 header includes an optional
     885             :      *                   ;; flag to indicate that the GSS mechanism is not
     886             :      *                   ;; "standard", but since SCRAM is "standard", we
     887             :      *                   ;; don't include that flag).
     888             :      *
     889             :      * username        = "n=" saslname
     890             :      *                   ;; Usernames are prepared using SASLprep.
     891             :      *
     892             :      * reserved-mext  = "m=" 1*(value-char)
     893             :      *                   ;; Reserved for signaling mandatory extensions.
     894             :      *                   ;; The exact syntax will be defined in
     895             :      *                   ;; the future.
     896             :      *
     897             :      * nonce           = "r=" c-nonce [s-nonce]
     898             :      *                   ;; Second part provided by server.
     899             :      *
     900             :      * c-nonce         = printable
     901             :      *
     902             :      * client-first-message-bare =
     903             :      *                   [reserved-mext ","]
     904             :      *                   username "," nonce ["," extensions]
     905             :      *
     906             :      * client-first-message =
     907             :      *                   gs2-header client-first-message-bare
     908             :      *
     909             :      * For example:
     910             :      * n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL
     911             :      *
     912             :      * The "n,," in the beginning means that the client doesn't support
     913             :      * channel binding, and no authzid is given.  "n=user" is the username.
     914             :      * However, in PostgreSQL the username is sent in the startup packet, and
     915             :      * the username in the SCRAM exchange is ignored.  libpq always sends it
     916             :      * as an empty string.  The last part, "r=fyko+d2lbbFgONRv9qkxdawL" is
     917             :      * the client nonce.
     918             :      *------
     919             :      */
     920             : 
     921             :     /*
     922             :      * Read gs2-cbind-flag.  (For details see also RFC 5802 Section 6 "Channel
     923             :      * Binding".)
     924             :      */
     925          30 :     state->cbind_flag = *p;
     926          30 :     switch (*p)
     927             :     {
     928             :         case 'n':
     929             : 
     930             :             /*
     931             :              * The client does not support channel binding or has simply
     932             :              * decided to not use it.  In that case just let it go.
     933             :              */
     934          28 :             if (state->channel_binding_in_use)
     935           0 :                 ereport(ERROR,
     936             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
     937             :                          errmsg("malformed SCRAM message"),
     938             :                          errdetail("The client selected SCRAM-SHA-256-PLUS, but the SCRAM message does not include channel binding data.")));
     939             : 
     940          28 :             p++;
     941          28 :             if (*p != ',')
     942           0 :                 ereport(ERROR,
     943             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
     944             :                          errmsg("malformed SCRAM message"),
     945             :                          errdetail("Comma expected, but found character \"%s\".",
     946             :                                    sanitize_char(*p))));
     947          28 :             p++;
     948          28 :             break;
     949             :         case 'y':
     950             : 
     951             :             /*
     952             :              * The client supports channel binding and thinks that the server
     953             :              * does not.  In this case, the server must fail authentication if
     954             :              * it supports channel binding.
     955             :              */
     956           0 :             if (state->channel_binding_in_use)
     957           0 :                 ereport(ERROR,
     958             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
     959             :                          errmsg("malformed SCRAM message"),
     960             :                          errdetail("The client selected SCRAM-SHA-256-PLUS, but the SCRAM message does not include channel binding data.")));
     961             : 
     962             : #ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
     963           0 :             if (state->port->ssl_in_use)
     964           0 :                 ereport(ERROR,
     965             :                         (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
     966             :                          errmsg("SCRAM channel binding negotiation error"),
     967             :                          errdetail("The client supports SCRAM channel binding but thinks the server does not.  "
     968             :                                    "However, this server does support channel binding.")));
     969             : #endif
     970           0 :             p++;
     971           0 :             if (*p != ',')
     972           0 :                 ereport(ERROR,
     973             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
     974             :                          errmsg("malformed SCRAM message"),
     975             :                          errdetail("Comma expected, but found character \"%s\".",
     976             :                                    sanitize_char(*p))));
     977           0 :             p++;
     978           0 :             break;
     979             :         case 'p':
     980             : 
     981             :             /*
     982             :              * The client requires channel binding.  Channel binding type
     983             :              * follows, e.g., "p=tls-server-end-point".
     984             :              */
     985           2 :             if (!state->channel_binding_in_use)
     986           0 :                 ereport(ERROR,
     987             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
     988             :                          errmsg("malformed SCRAM message"),
     989             :                          errdetail("The client selected SCRAM-SHA-256 without channel binding, but the SCRAM message includes channel binding data.")));
     990             : 
     991           2 :             channel_binding_type = read_attr_value(&p, 'p');
     992             : 
     993             :             /*
     994             :              * The only channel binding type we support is
     995             :              * tls-server-end-point.
     996             :              */
     997           2 :             if (strcmp(channel_binding_type, "tls-server-end-point") != 0)
     998           0 :                 ereport(ERROR,
     999             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
    1000             :                          (errmsg("unsupported SCRAM channel-binding type \"%s\"",
    1001             :                                  sanitize_str(channel_binding_type)))));
    1002           2 :             break;
    1003             :         default:
    1004           0 :             ereport(ERROR,
    1005             :                     (errcode(ERRCODE_PROTOCOL_VIOLATION),
    1006             :                      errmsg("malformed SCRAM message"),
    1007             :                      errdetail("Unexpected channel-binding flag \"%s\".",
    1008             :                                sanitize_char(*p))));
    1009             :     }
    1010             : 
    1011             :     /*
    1012             :      * Forbid optional authzid (authorization identity).  We don't support it.
    1013             :      */
    1014          30 :     if (*p == 'a')
    1015           0 :         ereport(ERROR,
    1016             :                 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
    1017             :                  errmsg("client uses authorization identity, but it is not supported")));
    1018          30 :     if (*p != ',')
    1019           0 :         ereport(ERROR,
    1020             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
    1021             :                  errmsg("malformed SCRAM message"),
    1022             :                  errdetail("Unexpected attribute \"%s\" in client-first-message.",
    1023             :                            sanitize_char(*p))));
    1024          30 :     p++;
    1025             : 
    1026          30 :     state->client_first_message_bare = pstrdup(p);
    1027             : 
    1028             :     /*
    1029             :      * Any mandatory extensions would go here.  We don't support any.
    1030             :      *
    1031             :      * RFC 5802 specifies error code "e=extensions-not-supported" for this,
    1032             :      * but it can only be sent in the server-final message.  We prefer to fail
    1033             :      * immediately (which the RFC also allows).
    1034             :      */
    1035          30 :     if (*p == 'm')
    1036           0 :         ereport(ERROR,
    1037             :                 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
    1038             :                  errmsg("client requires an unsupported SCRAM extension")));
    1039             : 
    1040             :     /*
    1041             :      * Read username.  Note: this is ignored.  We use the username from the
    1042             :      * startup message instead, still it is kept around if provided as it
    1043             :      * proves to be useful for debugging purposes.
    1044             :      */
    1045          30 :     state->client_username = read_attr_value(&p, 'n');
    1046             : 
    1047             :     /* read nonce and check that it is made of only printable characters */
    1048          30 :     state->client_nonce = read_attr_value(&p, 'r');
    1049          30 :     if (!is_scram_printable(state->client_nonce))
    1050           0 :         ereport(ERROR,
    1051             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
    1052             :                  errmsg("non-printable characters in SCRAM nonce")));
    1053             : 
    1054             :     /*
    1055             :      * There can be any number of optional extensions after this.  We don't
    1056             :      * support any extensions, so ignore them.
    1057             :      */
    1058          60 :     while (*p != '\0')
    1059           0 :         read_any_attr(&p, NULL);
    1060             : 
    1061             :     /* success! */
    1062          30 : }
    1063             : 
    1064             : /*
    1065             :  * Verify the final nonce contained in the last message received from
    1066             :  * client in an exchange.
    1067             :  */
    1068             : static bool
    1069          30 : verify_final_nonce(scram_state *state)
    1070             : {
    1071          30 :     int         client_nonce_len = strlen(state->client_nonce);
    1072          30 :     int         server_nonce_len = strlen(state->server_nonce);
    1073          30 :     int         final_nonce_len = strlen(state->client_final_nonce);
    1074             : 
    1075          30 :     if (final_nonce_len != client_nonce_len + server_nonce_len)
    1076           0 :         return false;
    1077          30 :     if (memcmp(state->client_final_nonce, state->client_nonce, client_nonce_len) != 0)
    1078           0 :         return false;
    1079          30 :     if (memcmp(state->client_final_nonce + client_nonce_len, state->server_nonce, server_nonce_len) != 0)
    1080           0 :         return false;
    1081             : 
    1082          30 :     return true;
    1083             : }
    1084             : 
    1085             : /*
    1086             :  * Verify the client proof contained in the last message received from
    1087             :  * client in an exchange.
    1088             :  */
    1089             : static bool
    1090          30 : verify_client_proof(scram_state *state)
    1091             : {
    1092             :     uint8       ClientSignature[SCRAM_KEY_LEN];
    1093             :     uint8       ClientKey[SCRAM_KEY_LEN];
    1094             :     uint8       client_StoredKey[SCRAM_KEY_LEN];
    1095             :     scram_HMAC_ctx ctx;
    1096             :     int         i;
    1097             : 
    1098             :     /* calculate ClientSignature */
    1099          30 :     scram_HMAC_init(&ctx, state->StoredKey, SCRAM_KEY_LEN);
    1100          60 :     scram_HMAC_update(&ctx,
    1101          30 :                       state->client_first_message_bare,
    1102          30 :                       strlen(state->client_first_message_bare));
    1103          30 :     scram_HMAC_update(&ctx, ",", 1);
    1104          60 :     scram_HMAC_update(&ctx,
    1105          30 :                       state->server_first_message,
    1106          30 :                       strlen(state->server_first_message));
    1107          30 :     scram_HMAC_update(&ctx, ",", 1);
    1108          60 :     scram_HMAC_update(&ctx,
    1109          30 :                       state->client_final_message_without_proof,
    1110          30 :                       strlen(state->client_final_message_without_proof));
    1111          30 :     scram_HMAC_final(ClientSignature, &ctx);
    1112             : 
    1113             :     /* Extract the ClientKey that the client calculated from the proof */
    1114         990 :     for (i = 0; i < SCRAM_KEY_LEN; i++)
    1115         960 :         ClientKey[i] = state->ClientProof[i] ^ ClientSignature[i];
    1116             : 
    1117             :     /* Hash it one more time, and compare with StoredKey */
    1118          30 :     scram_H(ClientKey, SCRAM_KEY_LEN, client_StoredKey);
    1119             : 
    1120          30 :     if (memcmp(client_StoredKey, state->StoredKey, SCRAM_KEY_LEN) != 0)
    1121           8 :         return false;
    1122             : 
    1123          22 :     return true;
    1124             : }
    1125             : 
    1126             : /*
    1127             :  * Build the first server-side message sent to the client in a SCRAM
    1128             :  * communication exchange.
    1129             :  */
    1130             : static char *
    1131          30 : build_server_first_message(scram_state *state)
    1132             : {
    1133             :     /*------
    1134             :      * The syntax for the server-first-message is: (RFC 5802)
    1135             :      *
    1136             :      * server-first-message =
    1137             :      *                   [reserved-mext ","] nonce "," salt ","
    1138             :      *                   iteration-count ["," extensions]
    1139             :      *
    1140             :      * nonce           = "r=" c-nonce [s-nonce]
    1141             :      *                   ;; Second part provided by server.
    1142             :      *
    1143             :      * c-nonce         = printable
    1144             :      *
    1145             :      * s-nonce         = printable
    1146             :      *
    1147             :      * salt            = "s=" base64
    1148             :      *
    1149             :      * iteration-count = "i=" posit-number
    1150             :      *                   ;; A positive number.
    1151             :      *
    1152             :      * Example:
    1153             :      *
    1154             :      * r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096
    1155             :      *------
    1156             :      */
    1157             : 
    1158             :     /*
    1159             :      * Per the spec, the nonce may consist of any printable ASCII characters.
    1160             :      * For convenience, however, we don't use the whole range available,
    1161             :      * rather, we generate some random bytes, and base64 encode them.
    1162             :      */
    1163             :     char        raw_nonce[SCRAM_RAW_NONCE_LEN];
    1164             :     int         encoded_len;
    1165             : 
    1166          30 :     if (!pg_strong_random(raw_nonce, SCRAM_RAW_NONCE_LEN))
    1167           0 :         ereport(ERROR,
    1168             :                 (errcode(ERRCODE_INTERNAL_ERROR),
    1169             :                  errmsg("could not generate random nonce")));
    1170             : 
    1171          30 :     encoded_len = pg_b64_enc_len(SCRAM_RAW_NONCE_LEN);
    1172             :     /* don't forget the zero-terminator */
    1173          30 :     state->server_nonce = palloc(encoded_len + 1);
    1174          30 :     encoded_len = pg_b64_encode(raw_nonce, SCRAM_RAW_NONCE_LEN,
    1175             :                                 state->server_nonce, encoded_len);
    1176          30 :     if (encoded_len < 0)
    1177           0 :         ereport(ERROR,
    1178             :                 (errcode(ERRCODE_INTERNAL_ERROR),
    1179             :                  errmsg("could not encode random nonce")));
    1180          30 :     state->server_nonce[encoded_len] = '\0';
    1181             : 
    1182          30 :     state->server_first_message =
    1183          30 :         psprintf("r=%s%s,s=%s,i=%u",
    1184             :                  state->client_nonce, state->server_nonce,
    1185             :                  state->salt, state->iterations);
    1186             : 
    1187          30 :     return pstrdup(state->server_first_message);
    1188             : }
    1189             : 
    1190             : 
    1191             : /*
    1192             :  * Read and parse the final message received from client.
    1193             :  */
    1194             : static void
    1195          30 : read_client_final_message(scram_state *state, const char *input)
    1196             : {
    1197             :     char        attr;
    1198             :     char       *channel_binding;
    1199             :     char       *value;
    1200             :     char       *begin,
    1201             :                *proof;
    1202             :     char       *p;
    1203             :     char       *client_proof;
    1204             :     int         client_proof_len;
    1205             : 
    1206          30 :     begin = p = pstrdup(input);
    1207             : 
    1208             :     /*------
    1209             :      * The syntax for the server-first-message is: (RFC 5802)
    1210             :      *
    1211             :      * gs2-header      = gs2-cbind-flag "," [ authzid ] ","
    1212             :      *                   ;; GS2 header for SCRAM
    1213             :      *                   ;; (the actual GS2 header includes an optional
    1214             :      *                   ;; flag to indicate that the GSS mechanism is not
    1215             :      *                   ;; "standard", but since SCRAM is "standard", we
    1216             :      *                   ;; don't include that flag).
    1217             :      *
    1218             :      * cbind-input   = gs2-header [ cbind-data ]
    1219             :      *                   ;; cbind-data MUST be present for
    1220             :      *                   ;; gs2-cbind-flag of "p" and MUST be absent
    1221             :      *                   ;; for "y" or "n".
    1222             :      *
    1223             :      * channel-binding = "c=" base64
    1224             :      *                   ;; base64 encoding of cbind-input.
    1225             :      *
    1226             :      * proof           = "p=" base64
    1227             :      *
    1228             :      * client-final-message-without-proof =
    1229             :      *                   channel-binding "," nonce [","
    1230             :      *                   extensions]
    1231             :      *
    1232             :      * client-final-message =
    1233             :      *                   client-final-message-without-proof "," proof
    1234             :      *------
    1235             :      */
    1236             : 
    1237             :     /*
    1238             :      * Read channel binding.  This repeats the channel-binding flags and is
    1239             :      * then followed by the actual binding data depending on the type.
    1240             :      */
    1241          30 :     channel_binding = read_attr_value(&p, 'c');
    1242          30 :     if (state->channel_binding_in_use)
    1243             :     {
    1244             : #ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
    1245           2 :         const char *cbind_data = NULL;
    1246           2 :         size_t      cbind_data_len = 0;
    1247             :         size_t      cbind_header_len;
    1248             :         char       *cbind_input;
    1249             :         size_t      cbind_input_len;
    1250             :         char       *b64_message;
    1251             :         int         b64_message_len;
    1252             : 
    1253             :         Assert(state->cbind_flag == 'p');
    1254             : 
    1255             :         /* Fetch hash data of server's SSL certificate */
    1256           2 :         cbind_data = be_tls_get_certificate_hash(state->port,
    1257             :                                                  &cbind_data_len);
    1258             : 
    1259             :         /* should not happen */
    1260           2 :         if (cbind_data == NULL || cbind_data_len == 0)
    1261           0 :             elog(ERROR, "could not get server certificate hash");
    1262             : 
    1263           2 :         cbind_header_len = strlen("p=tls-server-end-point,,");    /* p=type,, */
    1264           2 :         cbind_input_len = cbind_header_len + cbind_data_len;
    1265           2 :         cbind_input = palloc(cbind_input_len);
    1266           2 :         snprintf(cbind_input, cbind_input_len, "p=tls-server-end-point,,");
    1267           2 :         memcpy(cbind_input + cbind_header_len, cbind_data, cbind_data_len);
    1268             : 
    1269           2 :         b64_message_len = pg_b64_enc_len(cbind_input_len);
    1270             :         /* don't forget the zero-terminator */
    1271           2 :         b64_message = palloc(b64_message_len + 1);
    1272           2 :         b64_message_len = pg_b64_encode(cbind_input, cbind_input_len,
    1273             :                                         b64_message, b64_message_len);
    1274           2 :         if (b64_message_len < 0)
    1275           0 :             elog(ERROR, "could not encode channel binding data");
    1276           2 :         b64_message[b64_message_len] = '\0';
    1277             : 
    1278             :         /*
    1279             :          * Compare the value sent by the client with the value expected by the
    1280             :          * server.
    1281             :          */
    1282           2 :         if (strcmp(channel_binding, b64_message) != 0)
    1283           0 :             ereport(ERROR,
    1284             :                     (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
    1285             :                      (errmsg("SCRAM channel binding check failed"))));
    1286             : #else
    1287             :         /* shouldn't happen, because we checked this earlier already */
    1288             :         elog(ERROR, "channel binding not supported by this build");
    1289             : #endif
    1290             :     }
    1291             :     else
    1292             :     {
    1293             :         /*
    1294             :          * If we are not using channel binding, the binding data is expected
    1295             :          * to always be "biws", which is "n,," base64-encoded, or "eSws",
    1296             :          * which is "y,,".  We also have to check whether the flag is the same
    1297             :          * one that the client originally sent.
    1298             :          */
    1299          28 :         if (!(strcmp(channel_binding, "biws") == 0 && state->cbind_flag == 'n') &&
    1300           0 :             !(strcmp(channel_binding, "eSws") == 0 && state->cbind_flag == 'y'))
    1301           0 :             ereport(ERROR,
    1302             :                     (errcode(ERRCODE_PROTOCOL_VIOLATION),
    1303             :                      (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
    1304             :     }
    1305             : 
    1306          30 :     state->client_final_nonce = read_attr_value(&p, 'r');
    1307             : 
    1308             :     /* ignore optional extensions, read until we find "p" attribute */
    1309             :     do
    1310             :     {
    1311          30 :         proof = p - 1;
    1312          30 :         value = read_any_attr(&p, &attr);
    1313          30 :     } while (attr != 'p');
    1314             : 
    1315          30 :     client_proof_len = pg_b64_dec_len(strlen(value));
    1316          30 :     client_proof = palloc(client_proof_len);
    1317          30 :     if (pg_b64_decode(value, strlen(value), client_proof,
    1318             :                       client_proof_len) != SCRAM_KEY_LEN)
    1319           0 :         ereport(ERROR,
    1320             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
    1321             :                  errmsg("malformed SCRAM message"),
    1322             :                  errdetail("Malformed proof in client-final-message.")));
    1323          30 :     memcpy(state->ClientProof, client_proof, SCRAM_KEY_LEN);
    1324          30 :     pfree(client_proof);
    1325             : 
    1326          30 :     if (*p != '\0')
    1327           0 :         ereport(ERROR,
    1328             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
    1329             :                  errmsg("malformed SCRAM message"),
    1330             :                  errdetail("Garbage found at the end of client-final-message.")));
    1331             : 
    1332          30 :     state->client_final_message_without_proof = palloc(proof - begin + 1);
    1333          30 :     memcpy(state->client_final_message_without_proof, input, proof - begin);
    1334          30 :     state->client_final_message_without_proof[proof - begin] = '\0';
    1335          30 : }
    1336             : 
    1337             : /*
    1338             :  * Build the final server-side message of an exchange.
    1339             :  */
    1340             : static char *
    1341          22 : build_server_final_message(scram_state *state)
    1342             : {
    1343             :     uint8       ServerSignature[SCRAM_KEY_LEN];
    1344             :     char       *server_signature_base64;
    1345             :     int         siglen;
    1346             :     scram_HMAC_ctx ctx;
    1347             : 
    1348             :     /* calculate ServerSignature */
    1349          22 :     scram_HMAC_init(&ctx, state->ServerKey, SCRAM_KEY_LEN);
    1350          44 :     scram_HMAC_update(&ctx,
    1351          22 :                       state->client_first_message_bare,
    1352          22 :                       strlen(state->client_first_message_bare));
    1353          22 :     scram_HMAC_update(&ctx, ",", 1);
    1354          44 :     scram_HMAC_update(&ctx,
    1355          22 :                       state->server_first_message,
    1356          22 :                       strlen(state->server_first_message));
    1357          22 :     scram_HMAC_update(&ctx, ",", 1);
    1358          44 :     scram_HMAC_update(&ctx,
    1359          22 :                       state->client_final_message_without_proof,
    1360          22 :                       strlen(state->client_final_message_without_proof));
    1361          22 :     scram_HMAC_final(ServerSignature, &ctx);
    1362             : 
    1363          22 :     siglen = pg_b64_enc_len(SCRAM_KEY_LEN);
    1364             :     /* don't forget the zero-terminator */
    1365          22 :     server_signature_base64 = palloc(siglen + 1);
    1366          22 :     siglen = pg_b64_encode((const char *) ServerSignature,
    1367             :                            SCRAM_KEY_LEN, server_signature_base64,
    1368             :                            siglen);
    1369          22 :     if (siglen < 0)
    1370           0 :         elog(ERROR, "could not encode server signature");
    1371          22 :     server_signature_base64[siglen] = '\0';
    1372             : 
    1373             :     /*------
    1374             :      * The syntax for the server-final-message is: (RFC 5802)
    1375             :      *
    1376             :      * verifier        = "v=" base64
    1377             :      *                   ;; base-64 encoded ServerSignature.
    1378             :      *
    1379             :      * server-final-message = (server-error / verifier)
    1380             :      *                   ["," extensions]
    1381             :      *
    1382             :      *------
    1383             :      */
    1384          22 :     return psprintf("v=%s", server_signature_base64);
    1385             : }
    1386             : 
    1387             : 
    1388             : /*
    1389             :  * Deterministically generate salt for mock authentication, using a SHA256
    1390             :  * hash based on the username and a cluster-level secret key.  Returns a
    1391             :  * pointer to a static buffer of size SCRAM_DEFAULT_SALT_LEN.
    1392             :  */
    1393             : static char *
    1394           2 : scram_mock_salt(const char *username)
    1395             : {
    1396             :     pg_sha256_ctx ctx;
    1397             :     static uint8 sha_digest[PG_SHA256_DIGEST_LENGTH];
    1398           2 :     char       *mock_auth_nonce = GetMockAuthenticationNonce();
    1399             : 
    1400             :     /*
    1401             :      * Generate salt using a SHA256 hash of the username and the cluster's
    1402             :      * mock authentication nonce.  (This works as long as the salt length is
    1403             :      * not larger the SHA256 digest length. If the salt is smaller, the caller
    1404             :      * will just ignore the extra data.)
    1405             :      */
    1406             :     StaticAssertStmt(PG_SHA256_DIGEST_LENGTH >= SCRAM_DEFAULT_SALT_LEN,
    1407             :                      "salt length greater than SHA256 digest length");
    1408             : 
    1409           2 :     pg_sha256_init(&ctx);
    1410           2 :     pg_sha256_update(&ctx, (uint8 *) username, strlen(username));
    1411           2 :     pg_sha256_update(&ctx, (uint8 *) mock_auth_nonce, MOCK_AUTH_NONCE_LEN);
    1412           2 :     pg_sha256_final(&ctx, sha_digest);
    1413             : 
    1414           2 :     return (char *) sha_digest;
    1415             : }

Generated by: LCOV version 1.13